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Insecure Apps & APIs 
are a Problem 


Your business depends on web applications 


Any app or API can be a foothold into your 
organization 


Developers are not incentivized for security 


Cloud-based apps are easy for developers to 
deploy 


Web Applications are 
Being Targeted 


> Most common data breach pattern * 


> Top hacking vector * 


U.S. Postal Service (API) 
Facebook (API) 

Google+ (API) 

MyFitnessPal (API?) ......... 
Equifax 


* Source: 2018 Verizon DBIR 


Apps & APIs are 
Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


-Dü 
amazon O 
BA webservices 


Apps in Public Clouds 


(e) 


REST APIs 


New Apps 
under Development 
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Qualys Web Application Scanning (WAS) 


A leading dynamic application security testing 


© Quays. 
(DAST) tool — 
Identifies app-layer vulnerabilities 

OWASP Top 10 ammm — 
CWEs mR 
Web-related CVEs commen TT YN y 
> = 
Automated crawling = M = 
mon ca 


Supports Selenium scripts 
Scans REST APIs 
Malware scanning as a bonus 
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Recent Enhancements 


Aug 2018 
Burp extension 
Results for cancelled scans 
Scan status improvements 
Scan settings snapshot 
Retest multiple findings 


Sept 2018 
Browser engine upgrade 
xSS Power Mode 
Assign tags upon import 
ESI injection 
WebSocket detection 


Nov 2018 2018 | 2019 
Burp & Bugcrowd findings in Jan 2019 
report Custom scan 
Time limit for ignored finding intensity 
"Launch Now" for scheduled Auth record 
report permission 


Dec 2018 
Blind XPath injection 
Improved KB search 
Custom report footer 


Mar 2019 


Security header 
GIDS 


Jenkins plugin v2 
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Scanning with WAS in DevOps 


Staging Test / QA Dev 
Environment Environment Environment 
Developers 
Scan 
Source WAS 
Code Engine 
Repository — 


Qualys Scanner 
Appliance 


Jenkins 
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DEMO: Qualys WAS Jenkins Plugin v2 


® Jenkins 
Jenkins > Acme Application 
È Back 
i snippet Generator 

) Step Reference 
© Global Variables Reference 
© Online Documentation 


@ intel IDEA GDSL 


Pipeline Syntax 


Overview 


This Snippet Generator will help you learn the Pipeline Script code which can be used to define various steps. Pick a step you are 
interested in from the list, configure it, click Generate Pipeline Script, and you will see a Pipeline Script statement that would call the 
step with that configuration. You may copy and paste the whole statement into your script, or pick up just the options you care about. 
(Most parameters are optional and can be omitted in your script, leaving them at default values.) 


Steps 


Sample Step qualysWASScan: Qualys WAS Plugin for Jenkins 
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API Login 


Provide details for accessing the Qualys Container Security API 


API Server URL: https://qualysapi.qualys.com 


Example: https://qualysspi.quslys.com. (Refer WAS API User Guide for more information) 


API Username: quays_aa12 


API Password: 


O Use Proxy Settings 


Connection test successful! Test Connection 


Manual Testing Complements WAS 


Dynamic application scanning is one piece of the AppSec puzzle 
Manual penetration testing important for your business-critical apps 


Qualys WAS offers: 


Bugcrowd integration 
Burp Suite integration 
Partnerships with consulting companies 
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Qualys WAS Burp Extension 


E 5 © 


Burp Suite Web Application Scanning 


A quick, intuitive way to send Burp-discovered issues into WAS 
Provides centralized viewing/reporting of WAS detections + Burp issues 


Available today in Burp's BApp Store 
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DEMO: Qualys WAS Burp Extension 


[naa] Prec optons | use pios [ou was | tc ataco para | 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Installed Rating | Popularity | Last updated 


PeopleSoft Token Extractor 
PHP Object Injection Check 
Postman Integration 
Protobuf Decoder 

Proxy Action Rules 

Proxy Auto Config 
PsychoPATH 

Python Scripter 

‘Qualys WAS 

Random IP Address Header 
Reflected File Download C. 
Reflected Parameters 
Reissue Request Scripter 
Replicator 

Report To Elastic Search 
Request Highlighter 
Request Minimizer 
Request Randomizer 
Request Timer 

Response Clusterer 

Retire js 

Reverse Proxy Detector 
Same Origin Method Execu. 
SAML Editor 

SAML Encoder / Decoder 
SAML Raider 
SAMLReQuest 

‘Scan Check Builder 

‘Scan manual insertion point 


Refresh list | | Manual install. 


TETE 


11 Jan 2018 
01 Jun 2018 
18 Sep 2018 
20 Apr 2017 
12 Jan 2018 
24 Oct 2018 
28 Jun 2018 
28 Sep 2017 
06 Aug 2018 
01 Jul 2014 
24 Jan 2017 
10 Nov2014 
23 Dec 2016 
15 Feb 2018 
10 May 2017 
23 Jul 2018 
25 Jun 2018 
24 Jan 2017 
08 Nov 2017 
06 Feb 2017 
29 Jun 2018 
13 Feb 2017 
26 Jan 2017 
01 Jul 2014 
01 Jul 2014 
04 Nov 2016 
06 Feb 2017 
30 02018 
24 May 2017 


Pro extension 


Pro extension 


Pro extension 


Pro extension 


Pro extension 


Pro extension 


Qualys WAS ® Qualys 


The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 
‚Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 
can then view and report Burp issues alongside WAS findings for a more complete picture of your web 
application's security posture. 


To learn more about Qualys WAS, its integration with Burp, and the additional security and compliance 
solutions available in the Qualys Cloud Platform, please visit https //qualys com/was-buro, 


Requirements: 
© Burp Suite Professional 1.7 or later 
e Qualys WAS subscription, including API 
Features: 
Straightforward setup and usage 
Supports all Qualys shared platforms as well as private cloud platforms 
Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
Upstream proxy server settings in Burp are honored automatically 
Option to purge or close existing Burp issues in WAS 
Written in Java 
Usage: 
1, Add the extension to your instance of Burp Suite Professional by installing directly from the 
"BApp Store” tab within Burp or by loading the jar file from the Extensions tab. 


In the “Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password, 


WAS Roadmap 


03 2019 * 2019 | 2020 
April 2019 Postman Collections 
Cancel slice in multi-scan User-defined signatures 
Expanded Finding API Enhanced crawling 
May-June 2019 04 2019 * 
Full HTTP request New dashboard 
Info Leakage via header Bamboo plugin 
TLS13 Catalog API 


* Tentative 
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Qualys WAF 


Virtual (inline) reverse-proxy deployed alongside web servers. 

Inspects HTTP/S traffic, including Web Services and REST APIs. 

Protect against numerous types of attacks including OWASP Top 10. 
Out-of-the-box security policies for various application types 
User-defined Custom Rules 


HTTP profiles (protocol shaping) 
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Supported 
PI atform s Select Virtual Appliance Image 


Choose the virtualization platform you want to use to run your WAF appliance on 


Platform Details 


© de VMware Standard VMware virtualization platform 


O = Hyper-V Microsoft Hyper-V 5.1 virtualization platform 


er 
Amazon EC2 Amazon EC2-Classic, Amazon EC2-VPC 
Deploy anywhere ongi 
O PAN Microsoft Azure Microsoft Azure platform 
Google Cloud platform 


Docker platform 


Cancel Previous | 
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Built-in Security Policies 


Out-of-the-box rulesets written by Qualys security researchers 


Web Application Edit: test 


Edit Mode 
Asset Details 
Application 
WAF Clusters 
Comments 


Action log 


Cancel 
eS) 


Turn help tips: ( 


Configure policies for your web application 


Security Policy 


combination of protocol profiles and security templates that protect the applicatior 


Action* Block v 


Policy* 


[Magento 2.x.x] y Create 


l 
Drupal 
Edit | Create 


JBoss 
{ 


Joomla! 


prevent rules from collidin 
Magento 1.x 


Magento 1.x.x 
v 


Magento 2.x 


Magento 2.x.x 
‘ 


n | Off Launch help XX 


(*) REQUIRED FIELDS] 


Add All | 
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User-Defined Custom Rules 


Adjust your security policy manually 


Rule Creation Turn help tips: On | Of} Rule Creatio Tum help tips: On | Off Launch help 


Step 2 of 4 Rule conditions Step 3 of 4 Rule actions 


1 Rule Details Y Conditions Rule Details Actions (*) REQUIRED FIELDS 


j with a lo 


O Conditions A Conditi i AT fair coobee <6 ve Sand t “reg M Sec OU D learita fo. Conditions 


3 Actions Actions y Action" custom 


When l Allow 
Review And Confirm Review And Confirm Custom Response* Block 1 y | Edit create 
request.query-string.length 
Syntax Help Insert header 


1 dient, reguest.guery-string.parameter Build a condition based on guery-string's parameter v Log* Rewrite header 


2 reque request.query-string.parameter.count aa request query-string parameter value OPERATOR Strip eg 
alue" 
Redirect 
Block with custom page 


3 El request.query-string.parameter.name Examples 
request.query-string.parameter.name.length Match request parameter value foo 
request query-string.parameter.value Po AR TRADE 
request query-string.parameter.value.length 


request.url 


Previous KA nue 
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Load-Balancing and SSL-Offloading 


To ease integration with the network environment 


Server Pool Creation 


Step 2 of 3 Server Pool configuration 


1 Server Pool Details «ê Application Servers 


Here you define the sı 
® Configuration y ar 3 


3 Review And Confirm 


Protocol HTTPS 


Servers 


http:// Type address + Enter 


Load-balancing 
roundrobin 


Tum help tips: 


Off Launchhelp % 


Edit Mode 

Asset Details 
(*) REQUIRED FIELDS 

Application 

Security 

WAF Clusters 


Comments 


Action log 


Remove All 
Remove 


Remove 


MKA 2nd App 


Configure application and network settings 


SSL Certificates 


Certificate* 


Jonas SSL Mn Edit) Create 


The certificate expired on 13 Feb 2018 
The certificate Is self signed 


| Off Launch 


The web application's URL (https://demo06,s02.sjc01.qualys.com/) didn't match the certificate's common or alt 


names 


SSL/TLS Protocol 
TLS 1.2 


Cipher suite security level 
Strong 


Cipher Suite 


Add ciphers: Search... 


ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-GCM-SHA384 
ECDHE-ECDSA-AES256-SHA384 
ECDHE-ECDSA-AES256-GCM-SHA384 


O ssl v3 


O unsafe 


Add All | Remove All 


Remove 


Actionable Security Data 


Dashboard - All Web Applications All Web Applications Dir | Last 30 days 


Viewing = N 
Wed 13 Mar 2019 - Fri 12 Apr 2019 MED 
; 2.05M 659K 631K 


Activity Timeline 


Web Application Statistics 


Hits Blocked Events Client Bandwidth 
10.9M (TK 3.34M IM 1.468 


Event Summary Top Events Traffic Origins 
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WAS / WAF Integration: ScanTrust 


ScanTrust : Challenge your WAF protection with WAS 
Assess both the application and the policy that protects it 


1. Request inspected and forwarded to backend server 
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WAS / WAF Integration: Virtual Patch 


Virtual Patch : One-click mitigation tool 


Push a custom rule to WAF to block exploit on known vulnerability 


ds de Ci You are about to install a virtual patch 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 


Patch Details 


View Detection, 


When request.header.content-type MATCH "*.*\%.* \{.*multipart/form-data$" 


1 BE match *[a-zA-20-9V)\-\_\%).. 
2 [request header contentlype! MATCH ~.*\%.*\{.*multipart.. 
a (request header] Content-Type DETECT 150173 
RSS 


MATCH ”.*admin.*$ 
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Container Considerations 


Server pools need to be maintained on WAF 

Identifying a backend container in advance can be tedious 
Need of scalability 

Need of automation 

Need of security 
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Virtual Firewall Container (QVFC) 


Lightweight sensor (350 MB) 


Integrates with Docker Service 


Dynamic pool automation = Scalability 


Orchestration via Qualys API 
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Benefits of the Docker Integration 


Rapid deployment 

Bring elasticity to the server pool 
Automate with Kubernetes 

Secure dynamic assets, dynamically 
Simplify backend maintenance operations 
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Deploy as a Side-Car Proxy 


<j 


Container 
Container 


Container 


Container 


Container 


© 


Container 
Container 


Container 


Container 


Container 


© 


Container 
Container 


Container 


Container 


Container 


© 


Docker Engine 


Docker Engine 


Docker Engine 


Host 


Host 


Host 


Ey 


OPENSHIFT 


Amazon ECS 


kubernetes 


© Qualys. 


Or Deploy on PaaS via Kubernetes 


©) Google Cloud Platform 


Kubernetes 
Cluster 
Container Engine 


Fetch AVFC Registration 8 
Configuration 
Monitor 
n, © 


Browser 


Infosec/SOC 
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Thank You 


Dave Ferguson 
dferguson@qualys.com 


